Social Media Security Measures Lacking Among Federal Agencies

Less than one third of federal agencies using social media have created safeguards against hackers looking to exploit their accounts to launch cyber attacks against government networks, according to a report released Thursday.

The report by the Government Accountability Office found that nearly all -- 23 of 24 -- major federal agencies are now using Facebook, Twitter and YouTube to provide information about agency activities and interact with the public. But just seven agencies have identified and documented security risks and taken measures to prevent hackers from using those sites to gain access to federal information systems, the report found.

The study found some agencies had taken security measures for social media. For example, the report found the Department of Health and Human Services blocks the use of social media sites by employees except for those using them for business needs. But the State Department told GAO investigators they had no plans to assess the agency's social media security because its internal policies did not require it.

"Most agencies did not have documented assessments of the security risks that social media can pose to federal information or systems, which could result in the loss of sensitive information or unauthorized access to critical systems supporting the operations of the federal government," the report said.

As an example, the GAO report cited an incident where hackers sent an unauthorized tweet from President Obama's Twitter account in 2009 offering his followers a chance to win $500 in free gasoline in exchange for filling out a survey.

The report cited two popular techniques employed by hackers against federal agencies: spear phishing, which involves hackers tricking employees into opening an attachment with a virus, and social engineering, which involves hackers duping employees into giving out their passwords.

The review comes as hackers increasingly set their sights on breaching government networks.

In February 2011, the Director of National Intelligence testified the amount of malicious software targeting U.S. computers and networks had more than tripled since 2009.

Chester Wisniewski, a senior security adviser at Sophos, Inc., said he was not surprised by the report's findings. He said most high-level government officials probably treat social media as "a toy" because they are not actively engaged in it.

But Wisniewski said the consequences of a federal agency getting hacked could be dangerous -- particularly if, for example, hackers compromised the Twitter account for the Department of Homeland Security and issued a false terror warning to its nearly 41,000 followers.

"These are the official mouthpieces of these agencies," he said. "When we get a message from them, we take it to be the truth. People could take it very seriously and it could cause a bit of panic."